System and method for detecting fraudulent calls

ABSTRACT

Systems and methods for evaluating transactions to determine if suspicious activities are possibly present. Various methods include providing a reference designator list with information associated with one or more suspicious activities. Using the reference designator list, a first and a second transaction systems are evaluated. Various systems include two or more transaction systems utilizing information from a fraud detection system.

This application is a continuation-in-part of U.S. application Ser. No.09/948,729 filed on Sep. 7, 2001; and U.S. application Ser. No. ______(Attorney Docket No. 20375-008700US), entitled Money Transfer EvaluationSystems and Methods, and filed on ______.

BACKGROUND OF THE INVENTION

This invention relates generally to the field of monitoring transactionsystems to identify suspicious activity.

Toll free authorization request numbers are typically provided tovarious merchants. Some merchants share toll free authorization requestnumbers while other merchants have their own private authorizationrequest numbers. These authorization request numbers are intended to beused by merchants to phone in authorizations when a card fails at thepoint of sale. Using these numbers allows a merchant to continue with asale when a given card can not be read electronically.

Unfortunately, fraud sometimes takes place when certain individuals areable to learn these authorization request numbers. These individuals mayhave computer-generated, stolen or otherwise obtained a potentialaccount number. The individuals use the potential account numbers tocall an authorization service, via an authorization request number, inorder to ascertain whether the potential account number is authorizedfor a given dollar amount. These fraudulent calls are often made fromhome phones, cell phones, pay phones, etc. Once the individuals learnthat a potential account number is authorized, they may attempt to usethe potential account number on the Internet, in a mail order, in atelephone order, in an in person transaction.

BRIEF SUMMARY OF THE INVENTION

The present invention includes systems and methods for evaluatingtransactions to determine if suspicious behavior exists. In someembodiments, the systems and methods are used to identify potentiallyand, in some cases, imminent fraudulent activity, such as that relatingto credit card transactions. In other embodiments, the systems andmethods provide for sharing information across a plurality of systemtypes to identify suspicious activity.

In one embodiment of the present invention, probable fraudulent activityis determined. An authorization request for a given dollar amount isreceived at a receiving center from a user. Using a fraud test, it isdetermined if the authorization request is likely to be indicative offraudulent activity.

An investigation area is coupled to the receiving center. Theinvestigation area houses a fraud detection processing system. The fraudtest can be run at the investigation area on the fraud detectionprocessing system. A determination is made as to whether the dollaramount falls within a certain threshold. This determination can beconsidered to be a part of the fraud test in one embodiment. If thedollar amount is within a certain threshold, then at the investigationarea the fraud test, or further fraud testing, is run on theauthorization request to determine if fraudulent activity is likely.

The receiving center communicates to the user whether or not the dollaramount is authorized. This information is obtained when the receivingcenter communicates with a management center, which in turn communicateswith an appropriate bank.

If it is determined at the investigation area that there is a likelihoodof fraud, then this is communicated to the bank via the receiving centerand the management center. Appropriate action can then be taken.

In one embodiment, the fraud test can comprise determining anoriginating phone number, wherein the originating phone number is thephone number from which the authorization request originated, andcomparing the originating phone number against a good list of legitimateoriginating phone numbers. If the originating phone number is notmatched with a number in the good list, the originating phone number canbe compared against a bad list of illegitimate originating phonenumbers. If the originating phone number is matched with a number in thebad list, the originating phone number can be flagged as probablyrelated to fraudulent activity. It is also envisioned that theoriginating phone number can be compared against the bad list before thegood list.

The fraud test can also include any one of: determining if at least oneother authorization request has a dollar amount equivalent to the dollaramount of the authorization request; determining if the authorizationrequest is for an even dollar amount; determining if the authorizationrequest occurs at a time that falls within one or more red flag timewindows; determining if at least one other authorization request occurswithin a red flag time of the authorization request; and determining ifa given number of authorization request occurs within a given time framefrom the same originating phone number.

Various embodiments include methods for evaluating transactions forsuspicious activity. Such methods include providing a referencedesignator list that includes data, or information associated withsuspicious activity. In some instances, the data is a subset ofinformation available from a particular transaction system. Thereference designator list is used to evaluate transactions occurring ona first and a second transaction system. In some embodiments, additionaldata, or information, is received from the first transaction system andincorporated into the reference designator list. Some embodimentsfurther include receiving information from the second transaction systemand incorporating it into the reference designator list. In particularembodiments, the added information is incorporated into the referencedesignator list by creating a new reference designator, associating theadded information with the new reference designator, and adding the newreference designator to the reference designator list.

In one particular embodiment, the first transaction system is involvedin responding to authorization requests, while the other transactionsystem is involved in money transfers. Such a first transaction systemcan implement reception of an authorization request, determination ofthe origin of the authorization request, and comparison of theauthorization request with information in a reference designator list.

Various systems in accordance with the present invention include a firstand second transaction system associated with a fraud detection system.In some embodiments, the first transaction system can be a creditauthorization system, while the second transaction system is a moneytransfer system.

The summary provides only a general outline of the embodiments accordingto the present invention. Many other objects, features and advantages ofthe present invention will become more fully apparent from the followingdetailed description, the appended claims and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is one embodiment of a fraud warning system.

FIG. 2 is a flowchart of one embodiment of a method of determiningprobable fraudulent activity.

FIG. 3A is a flowchart describing a server process.

FIG. 3B is a continuation of the flowchart of FIG. 3A.

FIG. 4 shows the fields used by an export file.

FIG. 5 illustrates subsystems of an exemplary computer system for usewith the present invention;

FIG. 6 illustrates a money transfer system that can be evaluated inaccordance with embodiments of the present invention;

FIG. 7 illustrates a fraud watch system in accordance with an embodimentof the present invention;

FIGS. 8 a-8 b illustrate an exemplary transaction record, where FIG. 8 ais the forst portion of the record and FIG. 8 b is the second portion ofthe same record; and

FIG. 9 illustrates and exemplary reference designator list in accordancewith embodiments of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Particular aspects of the present invention provide systems and methodsfor monitoring and detecting fraudulent activity. Such fraudulentactivity can include, but is not limited to, detecting fraudulent moneytransfers, fraudulent calls, and/or fraudulent credit card uses. In someembodiments, the fraud is detected by using information derived from aplurality of fraud detection systems. In one particular embodiment, areference designator list is developed from information obtained fromtwo fraud detection systems. The reference designator list can then beused to search a database associated with a money transfer system todetect prior fraudulent activity, and/or used in a real time situationto detect ongoing fraudulent activity. For example, the referencedesignator list can be queried in real-time whenever a request is madeto a receiving center to request an authorization.

Activity can be identified as suspicious by a variety of systems. Suchsuspicious activity can then be provided to systems and methods inaccordance with the present invention that maintain a central accessiblerepository of suspicious activity. The central repository can be used inreal-time to evaluate ongoing activity in light of the previouslydetected suspicious activity to determine if the ongoing activity isillegitimate. Systems and methods useful in identifying suspiciousactivity can include those disclosed in U.S. patent application Ser. No.______ (Attorney Docket No. 020375-008400US), entitled Systems andMethods for Monitoring Credit Fraud, and filed on ______; U.S. patentapplication Ser. No. ______ (Attorney Docket No. 020375-008700US),entitled Money Transfer Evaluation Systems and Methods, and filed on______; U.S. patent application Ser. No. ______ (Attorney Docket No.020375-008900US), entitled Systems and Methods for Monitoring CreditCard Transactions, and filed on ______. All of the foregoing referencesare incorporated herein by reference for all purposes.

Other aspects of the present invention provide systems and methods formonitoring authorization requests related to credit card transactions.Some aspects of monitoring authorization requests involve receivingauthorization requests at a transaction center, investigating theauthorization request, and either approving or denying the authorizationrequest based on the results of the investigation.

As shown in the exemplary drawings wherein like reference numeralsindicate like or corresponding elements among the figures, an embodimentof a system according to the present invention will now be described indetail. The following description sets forth an example of a frauddetection system and methodology. The system can be operated on manydifferent computing platforms, and other variations should be apparentafter review of this description.

Referring to FIG. 1, one exemplary embodiment of a fraud warning system100 is illustrated. A receiving center 102 for receiving communicationsfrom merchants is coupled to a management center 104. The managementcenter is in turn coupled to at least one bank 106. As used herein, theterm “bank” refers to a bank, financial institution, credit issuer,credit/charge card company or the like.

In keeping with aspects of the invention, receiving center 102 iscoupled to an investigation area 108 that houses a fraud detectionprocessing system. The receiving center can receive authorizationrequests 110 from users (e.g., merchants, etc.). Such authorizationrequests are typically received by a telephone call from the merchant.Conveniently, the receiving center may include an interactive voiceresponse unit where all calls may be handled in an automated manner.

Referring to FIG. 2, in operation, receiving center 102 receives anauthorization request for a dollar amount from a user (block S200). Atthis point, it is communicated to the user as to whether or not thedollar amount is authorized. The authorization request also includes anaccount number for the credit card and optionally the expiration date.This authorization request is typically but not necessarily in the formof a phone call to a toll free number. However, it is contemplated thatother suitable forms of communication, such as computers and networks,can be used as well. Each merchant who subscribes to the subjectservices is assigned one or more toll free numbers.

As mentioned above, sometimes the criminal element steals or generatesthese numbers and attempts to commit fraud. The criminals typically makean authorization request for a low amount (usually less than $100) tosee if the account number, credit card, etc., is authorized for use. Thereason for the criminal element trying to authorize a low dollar amountis so that as much credit is still available as possible. Once thecriminals receive authorization they typically use the account number tocommit fraud by making a purchase. However, it will be appreciated thatfraudulent activity may occur with larger requests, and the inventionmay be modified to screen these calls as well.

A determination is made as to whether the dollar amount falls within acertain threshold (block S202). This determination can be made atreceiving center 102 or investigation area 108. If the dollar amount iswithin a certain threshold (e.g., $0 to $100), then a fraud test will berun on the authorization request to determine if fraudulent activity islikely afoot. If not, no further fraud testing is done in oneembodiment, and the authorization request is processed as normal. Inother embodiments, a fraud test may be run on all transactions, or thethreshold could be increased, e.g., to $250. In some embodiments,determination of whether the dollar amount is within a certain thresholdis part of the fraud test.

A fraud test is run at investigation area 108 (block S204). It should benoted that the aspects of the fraud test can be implemented in software,hardware, manually, or by any suitable combination thereof. The fraudtest typically is run in investigation area 108 using the frauddetection processing system. In one embodiment, the fraud test maycomprise any combination of the following: determining an originatingphone number and comparing it against a good list of legitimateoriginating phone numbers; determining an originating phone number andcomparing it against a bad list of illegitimate originating phonenumbers; determining if multiple authorization requests made from thesame phone number have equivalent dollar amounts; determining if theauthorization request is for an even dollar amount; determining if theauthorization request occurs at a time that falls within one or more redflag time windows; determining if at least one other authorizationrequest occurs within a red flag time of the authorization request;determining if a given number of authorization requests occur within agiven time frame from the same originating phone number; and the like.Based on this fraud test, it is determined whether there is probablefraudulent activity (block S204).

In one embodiment, the time during which the authorization request 110came into receiving center 102 is determined and considered. As anexample, if the authorization request came into the receiving center at7:00 a.m. in the time zone of the receiving center, then the next stepmight be to determine where (including what time zone) the authorizationrequest originated from. One way this might be determined is to look atthe area code of the originating phone number. If it is determined thatthe authorization request came in it was also 7:00 a.m. at the placefrom which the authorization request originated, then this might not beindicative of fraudulent activity. On the other hand, if theauthorization request came in at 5:00 a.m. at the place from which theauthorization request originated, then this might be indicative offraudulent activity.

In another embodiment, the fraud test begins by comparing theoriginating phone number (or other information indicative of where theauthorization request originated from) with a list of known legitimatephone numbers. If the originating phone number is not matched with anumber in the legitimate list, the originating phone number is thencompared against a list of known illegitimate originating phone numbers.If the originating phone number is matched with a number on theillegitimate list, the originating phone number might be flagged asprobably related to fraudulent activity. Additionally, the originatingphone number can be added to the illegitimate list.

The call from the originating phone number (or other communication) canbe further investigated if the originating phone number was flagged asprobably related to fraudulent activity. The originating phone numbercan be determined in any suitable manner, such as by using a caller IDsystem as mentioned above. It is also envisioned that the originatingphone number (or other information indicative of where the authorizationrequest originated from) can be compared against the illegitimate listbefore being compared against the legitimate list.

Any suitable method of analyzing the results from above can be used todetermine probably fraudulent activity. As used herein, “probablefraudulent activity,” “likely to be indicative of fraudulent activity,”“probably related to fraudulent activity” and the like refer to acertain threshold of estimated likelihood that the authorization requestcame from a source having criminal intent (e.g., not an authorizedmerchant). This threshold can be changed as desired. Moreover, variouslevels of probable fraudulent activity can be determined if so desired.One possible manner of determining if there exists probable fraudulentactivity is to assign weights or points to the results of the variousblocks mentioned above.

Further, an investigative interface (e.g., a person) is determined(block S206). This person might query various public and private databases and conduct proactive investigation (calls the originating phonenumber in a pretext call) in order to ascertain ownership and control ofthe phone number. This way the person can verify whether that phonenumber is related to the merchant account which is involved in the“suspect” transaction which has previously qualified under the fraudsearch rules as a suspect transaction and as probably being indicativeof fraudulent activity. This person, or investigator, then “marks” thetransaction and therefore the telephone number (or other authorizationrequest) as good or bad. If it is determined at investigation area 108that there exists probable fraudulent activity, then this iscommunicated to the appropriate bank 106 via receiving center 102 andthe management center (block S208). Thus, bank 106 is warned thatfurther fraud is imminent. Appropriate action can then be taken, such asperforming a more thorough investigation and contacting the authoritiesand the fraud victim.

FIGS. 3A and 3B are flow diagrams of a process according to embodimentsof the present invention. The call interactive voice response database300, which can be within the receiving center 102, can send nightlybatch jobs 302 that contain data related to the authorization requests110. The data is transferred via SFTP to a Fraud Detection Server 304,which is coupled to a Fraud Detection Database 306.

Periodically, a fraud detection process is started; i.e., a fraud testis run (block S308). Fraud warning system 100 then checks for importfiles (block S310). In one embodiment, at approximately every minutewith the exception of the hours between 1:00 a.m. and 3:00 a.m. whenbackups and file transfers are taking place, fraud warning system 100checks for new import files at a pre-determined directory of FraudDetection Server 304. If multiple files are present, fraud warningsystem 100 will process them one at a time. If no files are present,fraud warning system 100 continues on to the next task in the loop. If afile is present (block S312), then fraud warning system 100 checks forinvalid records (block S314). The field values can be checked forinvalidity based on a validation number assigned to the field. A countof the invalid and valid records is taken and stored. Records that passthe data cleansing process are imported into the database running on theFraud Detection Server 304 (block S316).

In one embodiment, all historical caller ID or event origin phone number(or “ANI”) records with an update date of 180 days from the currentdate, whether good or bad, can be removed or purged from an ANI table(block S318). All historical records from a Raw Data Table with anauthorization request (or “ARU”) date over 180 days can be deleted.

Following the purge, all incoming records are checked against the ANITable to determine if the incoming event ANI has already been identifiedas good or bad. Then the good and bad ANI are flagged (block S320). Ifthe ANI is good then the record is removed from the Raw Data Table. If,on the other hand, it is a known bad ANI (or “KBA”) then it iscategorized as such. Once a record is flagged as KBA, then in someembodiments, it will not be deleted by another process.

In one embodiment, if the total events per credit master ID (e.g., thefirst six digits of a credit card number, or “BIN”) is two or less andthe time span between them is less than two minutes and it is the samecard number and it is not marked KBA, then the calling event is mostlikely valid. If an event is determined to be valid, it can be deletedfrom the Raw Data Table (block S322). The logic is that if a card numberis entered incorrectly the first time, a second event will show up forthe same card shortly thereafter.

In one embodiment, if the total number of calls per BIN is greater thantwo, and the card numbers match for the first twelve digits, and thetime between calls is less than or equal to five minutes, and the ANI isthe same, then the event is categorized as credit master (or “CRM”).This type of activity suggests card numbers were automatically generatedand possibly in the form of an automated dialing system. These creditmaster events are flagged (block S324).

Flagging skimmed lost stolen (or “SLS”) events (block S326) requiressorting the current Raw Data by ANI and comparing the area code of theincoming records with the area codes of KBA's previously identified.This can be done because certain area codes statistically have a higherrate of fraud associated with them, and therefore generate moreconsistent matches for this particular type of activity. The count ofevents must also be greater than or equal to a given number (e.g.,three) for each ANI.

Once this first subset of records has been selected, they can be loopedthrough and a second subset of data can be created for each ANI keyed byBIN. This is run through another loop that checks to see if within thissubset the BIN numbers are different, the amounts are within, forexample, five cents of each other and the time of the calls were within,for example, five minutes of each other. Each time these requirementsare met, a count is incremented by one. If after processing all therecords in the ANI subset this count is greater than or equal to, forexample, all events for that ANI and associated BIN's are categorized asSLS.

All event times can be saved in a certain time zone, e.g., Central TimeZone where fraud warning system 100 is located. Then, a calculation canbe made based on the ANI's area code to determine the correct time ofthe event (block S328).

Following the corrected event time, fraud warning system 100 can checkthe event time to see if the transaction took place at an odd hour forthe ANI local. If the event hour is between, for example, 3:00 a.m. and5:00 a.m., then it may be categorized as AFH (block S330). In oneembodiment, this categorization may be left out of the process.

At this point, the remaining uncategorized records are theoreticallyvalid and of no interest. These unprocessed events are purged from theRaw Data Table (block S332). The events that remain in the Raw DataTable can be assigned client numbers, or reference designations asdiscussed later (block S334). The client number can be determined bytaking the first six digits of the card number, or the BIN.Alternatively, the client number can be the ANI.

In order for events to be selected from a client interface, the lastserver import process appends the current import files' date(s) to theavailable dates table (block S336). This import file may then be movedto backup (block S338). Then, fraud warning system 100 can run a checkto find errors; if any (block S340). If there is no error, then theprocess returns to check for import files (block S310). Otherwise, theprocess goes to the error module (block S342). If there is a nonfatalerror, then a system administrator is notified. If there is a fatalerror, then the process stops.

If no file is present (block S312), then event mail is checked (blockS1314). Event mail is similar to a batch file but contains informationfor only one bad ANI. If there is an event mail (block S1316) then aBatchSend Table is purged (block S1318). Continuing on, there is anoption to create either an Excel or a delimited file (block S1320) whichallows clients to use data themselves. Then the file is encrypted (blockS1322), an E-mail is created (block S1324), and the file is attached tothe E-mail and sent (block S1326) to the client or other designee basedon client-provided information. The BatchSend Table is then updated(block S1328). Then an error check is run as before (block S1330). Ifthere is no error, it returns to B. If an error is found, the processgoes to the error module (block S1342).

Turning now to FIG. 3B, a check is done for daily batch mail (blockS344), because the mail may be in the form of a batch file containinginformation related to multiple events instead of a single event. Theprocess then runs as before, with blocks S346 to S360 corresponding withblocks S1316 to S1328, respectively.

If there is no batch mail, then the database is queried for the lastapplication running time (block S362). If it is time to send an E-mailto the administrators to let them know fraud warning system 100 is stillup and running, then the database is queried for the administratorsE-mail list (block S366). The confirmation E-mail created (block S368)and sent (block S370). Then fraud warning system 100 can enter a sleepmode for a predetermined period of time (block S372), and later returnto check for import files (block S310).

FIG. 4 shows fields included in the fields used by an export file. Thenightly batch job 302 generates these fields. These fields contain datarelated to the authorization requests. These fields include: the CallerID phone number, the card number, the authorization request date, thetime of the authorization request, the dollar amount requested, theDNIS, the merchant number, and the approval number, if any.

FIG. 5 illustrates subsystems found in one exemplary computer systemthat can be used in accordance with embodiments of the presentinvention. Computers can be configured with many different hardwarecomponents and can be made in many dimensions and styles (e.g., laptop,palmtop, server, workstation and mainframe). Thus, any hardware platformsuitable for performing the processing described herein is suitable foruse with the present invention. This hardware can be used, for example,in investigation center 108 for analyzing information to determine iffraudulent activity is likely.

Subsystems within are directly interfaced to an internal bus 210. Thesubsystems include an input/output (I/O) controller 212, a system randomaccess memory (RAM) 214, a central processing unit (CPU) 216, a serialport 220, a fixed disk 222 and a network interface adapter 224. The useof the bus allows each of the subsystems to transfer data among thesubsystems and, most importantly, with CPU 216. External devices cancommunicate with CPU 216 or other subsystems via bus 210 by interfacingwith a subsystem on bus 210.

FIG. 5 is illustrative of one suitable configuration for providing asystem in accordance with the present invention. Subsystems, componentsor devices other than those shown in FIG. 5 can be added withoutdeviating from the scope of the invention. A suitable computer systemcan also be achieved without using all of the subsystems shown in FIG.5. Other subsystems such as a CD-ROM drive, graphics accelerator, etc.,can be included in the configuration without affecting the performanceof system 100 included in the present invention.

One embodiment according to the present invention is related to the useof an apparatus, such as the computer system, for implementing asimulator according to embodiments of the present invention. CPU 216 canexecute one or more sequences of one or more instructions contained insystem memory 214. Such instructions may be read into memory 214 from acomputer-readable medium, such as fixed disk 222. Execution of thesequences of instructions contained in memory 214 causes CPU 216 toperform the process blocks described herein. One or more processors in amulti-processing arrangement may also be employed to execute thesequences of instructions contained in the memory. In alternativeembodiments, hard-wired circuitry may be used in place of or incombination with software instructions to implement the invention. Thus,embodiments of the invention are not limited to any specific combinationof hardware circuitry and software.

The terms “computer-readable medium” and “computer-readable media” asused herein refer to any medium or media that participate in providinginstructions to CPU 216 for execution. Such media can take many forms,including, but not limited to, non-volatile media, volatile media andtransmission media. Non-volatile media include, for example, optical ormagnetic disks, such as fixed disk 222. Volatile media include dynamicmemory, such as memory 214. Transmission media include coaxial cable,copper wire and fiber optics, including the wires that comprise bus 210.Transmission media can also take the form of acoustic or light waves,such as those generated during radio frequency (RF) and infra-red (IR)data communications. Common forms of computer-readable media include,for example, a floppy disk, a flexible disk, a hard disk, magnetic tape,any other magnetic medium, a CD-ROM disk, DVD, any other optical medium,punch cards, paper tape, any other physical medium with patterns ofholes a RAM, A PROM, an EPROM, a FLASH-EPROM, any other memory chip orcartridge, a carrier wave, or any other medium from which a computer canread.

Various forms of computer-readable media may be involved in carrying oneor more sequences of one or more instructions to CPU 216 for execution.The bus carries the data to memory 214, from which the processorretrieves and executes the instructions. The instructions received bythe memory can optionally be stored on fixed disk 222 either before orafter execution by the processor.

Many subsystem configurations are possible. FIG. 5 is illustrative ofbut one suitable configuration. Subsystems, components or devices otherthan those shown in FIG. 5 can be added. A suitable computer system canbe achieved without using all of the subsystems shown in FIG. 5.

As presented, FIGS. 1-5 illustrate embodiments for evaluating creditcard authorization activity to identify suspicious and/or fraudulentactivity using fraud warning system 100. In accordance with otherembodiments of the invention, detection of suspicious and/or fraudulentactivity can be coordinated between two or more transaction systems.Thus, as an example, fraud warning system 100 can be utilized inconjunction with information obtained from a money transfer system, orthe like. As an illustration, FIGS. 6-9 illustrate an embodiment of thepresent invention where fraud warning system 100 is used in conjunctionwith a money transfer system. It should, however, be recognized that anytwo or more systems can be used in accordance with the presentinvention. Thus, among others, two money transfer systems, two fraudwarning systems 100, two credit card monitoring systems, two cellularphone evaluation systems, or a combination thereof can be monitored inaccordance with the present invention.

Referring to FIG. 6, a money transfer system 1100 is comprised of aninterface system 1125, an automatic teller system (“ATM”) system 1145, adeposit maintenance network 1150, a credit maintenance network 1160 anda central exchange 1170. Interface system 1125 is communicably coupledto ATM system 1145 via an ATM network 1140, deposit maintenance network1150 and credit maintenance network 1160. In general, interface system1125 unifies a variety of transfer systems while supporting a variety ofmechanisms for introducing and receiving information to and/or frommoney transfer system 1100.

Interface system 1125 comprises a transaction center 1130 and one ormore terminals 1110 in communication via a transaction network 1120.Transaction network 1120 can be any communication network capable oftransmitting and receiving information in relation to a transfer ofvalue from one entity to another. For example, transaction network 1120can comprise a TCP/IP compliant virtual private network (VPN), theInternet, a local area network (LAN), a wide area network (WAN), atelephone network, a cellular telephone network, an optical network, awireless network, or any other similar communication network. Inparticular embodiments, transaction network 1120 provides message basedcommunications between terminals 1110 and transaction center 1130.

Terminals 1110 can be any terminal or location where value is acceptedand/or provided in relation to money transfers across money transfersystem 1100. Thus, in some instances, terminal 1110 is a conveniencestore where a clerk can receive value from a sender and initiatetransfer of the value to a receiver via money transfer system 1100. Insuch cases, the clerk can typically also provide transferred value to areceiver.

In other instances, terminal 1110 is an automated system for receivingvalue from a sender for transfer via money transfer system 1100 and/orfor providing value to a receiver that was transferred via moneytransfer system 1100. To accommodate various different paymentinstruments and types, terminal 1110 can include a variety ofinterfaces. For example, terminal 1110 can include a mechanism forreceiving cash, credit cards, checks, debit cards, stored value cardsand smart cards. Such terminals may also be used at the payout end toprint a check or money order, or to credit a cash card or stored valuecard. Examples of such terminals are described in copending U.S.application Ser. No. 09/634,901, entitled “POINT OF SALE PAYMENTSYSTEM,” filed Aug. 9, 2000 by Randy J. Templeton et al., which is anonprovisional of U.S. Prov. Appl. No. 60/147,899, entitled “INTEGRATEDPOINT OF SALE DEVICE,” filed Aug. 9, 1999 by Randy Templeton et al, thecomplete disclosures of which are herein incorporated by reference.

In yet other instances, terminal 1110 is a personal computer operated bya sender of value. Such a terminal can be communicably coupled totransaction center 1130 via the Internet. The terminal can furtherinclude a web browser capable of receiving commands for effectuatingtransfer of value via money transfer system 1100.

Terminal identification information can be associated with each terminal1110. Such identification information includes, but is not limited to, aphysical location, a telephone number, an agent identification number, aterminal identification number, a security alert status, an indicationof the type of terminal, a serial number of a CPU, an IP address, thename of a clerk, and the like.

Using money transfer system 1100, value can be transferred from any of anumber of points. For example, value can be transferred from terminal1110 to itself or any other terminal 1110, from any terminal 1110 to adeposit account via deposit maintenance network 1150 or creditmaintenance network 1160, from any terminal 1110 to any ATM 1114 via ATMnetwork 1140. Many other transfers to/from ATMs 1114, deposit accounts,terminals, and/or credit accounts can be accomplished using moneytransfer system 1100.

Referring to FIG. 7, a fraud watch system 1210 is provided incommunication with transaction center 1130 of money transfer system1100, and with fraud warning system 100. Thus, according to someembodiments of the present invention, fraud detection informationdeveloped in fraud warning system 100 can be utilized to detectsuspicious money transfers proceeding on money transfer system 1100 and,in converse, fraud detection information developed in association withmoney transfer system 1100 can be utilized to detect suspiciousauthorization requests handled by fraud warning system 100.

As illustrated, transaction center 1130 includes a network processor1132 to process data received and transmitted via transaction network1120. Data to/from network processor 1132 is available to a host 1133that may communicate with one or more of a value translator 1135, atransaction database 1136, a settlement engine 1137 and a messagingengine 1138 to perform functions associated with transferring value viamoney transfer system 1100. In turn, messaging engine may communicatewith a message translator 1139. The received and/or provided bytransaction center 1130 may include information on the sender,information on the recipient, identification information associated witha terminal 1110, the type and amount of value transferred, a desiredlocation to transfer the value, and the like. In some cases, a valuetranslator 1135 may be used to change the type of value. For example,value translator 1135 may do a foreign currency conversion, or maytransfer from one type of value to another, e.g. frequent flyer miles toUnited States' Dollars. All information that is processed mayconveniently be stored in transaction database 1136.

Settlement engine 1137 may be used to facilitate the crediting anddebiting of various accounts during a transfer. For example, if a senderrequests that funds from a credit card account be used in the transfer,settlement engine 1137 is used to contact credit maintenance network1160 to charge the card and to manage the fees involved in thetransaction. Such fees may be those charged by the credit organizationas well as internal fees that are a part of the money transfertransaction. Settlement engine 1137 may be used in a similar manner whencrediting or debiting checking accounts, stored value accounts, customerloyalty points and the like.

Once a value transfer is properly processed, data indicating thetransfer is sent by a switch 1134 to the appropriate network as shown.This may be to ATM network 1140, deposit maintenance network 1150 and/orcredit maintenance network 1160 to complete the transaction.

Fraud watch system 1210 includes a fraud processing server 1220 and awatch database 1230. Fraud watch system 1210 is associated withtransaction system 1130 in a manner that allows for access totransaction database 1136. Such association can be provided by directwired communication between transaction database 1136 and fraudprocessing server 1220, by direct or network communication betweentransaction center 1130 and fraud processing server 1220, or by anyother mechanism that provides fraud watch system 210 with access totransaction database 1136. In one particular embodiment, fraudprocessing server 1220 is communicably coupled to transaction network1120 and accesses transaction database 1136 via network processor 1132and host 1133. In another embodiment, fraud processing server 1220 isdirectly coupled to host 1133 and accesses transaction database 1136 viahost 1133. It will be recognized by one of ordinary skill in the artthat a number of other mechanisms exist within the scope of the presentinvention for providing access by fraud processing server 1220 totransaction database 1136.

Fraud processing server 1220 can be any microprocessor based devicecapable of retrieving data from transaction database 1136, searching andmanipulating the data, maintaining a form of the data on watch database1230, and providing access to data on database 1230. Such access to thedata can include formatting the data and providing the data in an easilyaccessible form. In some embodiments, fraud processing computer is asingle computer, such as a personal computer or a database server. Inother embodiments, fraud processing server is a group of two or morecomputers. In such embodiments, fraud processing computer can include acentral computer associated with one or more peripheral computers. Suchperipheral computers can be personal computers or portable devices, suchas lap top computers and/or personal digital assistants. In a particularembodiment, fraud processing server 1220 includes a SQL server, while inother embodiments, it includes an ORACLE server.

Fraud processing server 1220 includes a computer readable medium capableof maintaining instructions executable to perform the functionsassociated with fraud processing server 1220. The computer readablemedium can be any device or system capable of maintaining data in a formaccessible to fraud processing computer 1220. For example, the computerreadable medium can be a hard disk drive either integral to fraudprocessing server 1220 or external to the server. Alternatively, thecomputer readable medium can be a floppy disk or a CD-ROM apart fromfraud processing server 1220 and accessible by inserting into a drive(not shown) of fraud processing server 1220. In yet other alternatives,the computer readable medium can be a RAM integral to fraud processingserver 1220 and/or a microprocessor (not shown) within the server. Oneof ordinary skill in the art will recognize many other possibilities forimplementing the computer readable medium. For example, the computerreadable medium can be a combination of the aforementioned alternatives,such as, a combination of a CD-ROM, a hard disk drive and RAM.

In some embodiments, transaction database 1136 maintains a record ofmoney transfer activities associated with money transfer system 1100. Anexemplary embodiment of such a record of money transfer activities 1300is illustrated in FIGS. 8 a-8 b. Referring to FIG. 8 a, record 1300includes a schema 1305 outlining the type of data maintained for eachmoney transfer transaction. The types of data can include: a sender'slast name, sNameLast 301; a sender's middle name, sNameMiddle 1303; asender's first name, sNameFirst 1307, a sender's phone number, sPhone1309; a sender's address, sAddress 1311; the type of agent used by asender, sAgentType 1313; the agent's identification number, sAgentNumber1317; the date a transfer was requested, sDate 1319; the amount of therequested transfer, sAmountIn 1321; the type of value, sValueTypeIn1323; the cost of the transfer, sTransactionCost 1327; a receiver's lastname, rNameLast 1329; a receiver's middle name, rNameMiddle 1331; areceiver's first name, rNameFirst 1333, a receiver's phone number,rPhone 1337; a receiver's address, rAddress 1339; the type of agent usedby the receiver, rAgentType 1341; the agent's identification number,rAgentNumber 1343; the date a transfer was received, rDate 1347; theamount of the received transfer, rAmountOut 1349; and the type of valuereceived, rValueTypeOut 1351. It should be recognized that, within thescope of the present invention, any number of data types can be includedin record 1300.

As illustrated in FIGS. 8 a-8 b, record 1300 further includes a numberof specific instances 1310, 315, 1320, 1325, 1330, 1335, 1340, 1345,1350, 1355 of schema 1305. As described in detail in U.S. patentapplication No. ______(Attorney Docket No. 020375-008700US), entitledMoney Transfer Evaluation Systems and Methods, previously incorporatedby reference for all purposes; the various instances in record 1300 canbe analyzed, and based on the analysis a record designator list 1500 asillustrated in FIG. 9 can be developed.

Reference designator list 1500 can be used to analyze transactions asdiscussed in the previously referenced patent application. For example,reference designator list 1500 can be used is used in relation withdatabase management tools to access various money transfer recordswithin transaction database 1136 that, based on the referencedesignators, appear to be suspect.

In accordance with embodiments of the present invention, referencedesignator list 1500 can also be used in relation with fraud warningsystem 100 to detect fraudulent authorization requests. Moreparticularly, reference designator list 1500 can be accessed by fraudwarning system 100, and utilized in relation to methods previouslydescribed with reference to FIGS. 2-3. For example, in block S204, thetests run in investigation area 108 can include comparing the determinedoriginating telephone number with the various telephone numbers providedin reference designator list 1500. If a match is found, additionalinvestigation may be performed, or, in some instances, the authorizationmay simply be denied because it is associated with a cluster ofinter-related activities that appear suspicious.

In various embodiments of the present invention, phone numbersidentified as suspicious in fraud warning system 100 are incorporatedinto reference designator list 1500. Thus, for example, where atelephone number identified on fraud warning system 100 is not alreadyassociated with a reference designator within reference designator list1500, a new reference designator is created, associated with thetelephone number received from fraud warning system 100, and added toreference designator list 1500. Thus, when reference designator list1500 is used in relation to either fraud warning system 100 or moneytransfer system 1100, indicators of fraudulent activity from bothsystems is available for use in detecting suspicious activity.

At this juncture, it should be recognized that information from avariety of fraud detection systems can be incorporated into a referencedesignator list to provide a comprehensive approach to fraud detection.Furthermore, the types of data shared between detection systems is notlimited to telephone numbers, or even the information illustrated inreference designator list 1500. For example, fraud warning system 100can additionally provide credit card numbers that are suspicious, namesof suspicious users, and other relevant information. Yet further, otherfraud detection systems may provide additional information that isunique to the particular fraud detection scheme yet warrants inclusionin a common reference designator list.

The invention has now been described in detail for purposes of clarityand understanding. However, it will be appreciated that certain changesand modifications may be practiced within the scope of the appendedclaims. Thus, although the invention is described with reference tospecific embodiments and figures thereof, the embodiments and figuresare merely illustrative, and not limiting of the invention. Rather, thescope of the invention is to be determined solely by the appended claims

1-16. (canceled)
 17. A system for evaluating transaction for suspiciousbehavior, the system comprising: a first transaction system; and asecond transaction system, wherein both the first and the secondtransaction systems are in communication with a fraud detection system.18. The system of claim 17, wherein the fraud detection system compilessuspicious information from the first transaction system and suspiciousinformation from the second transaction system into a referencedesignator list available to both the first and second systems.
 19. Thesystem of claim 18, wherein the first transaction system comprises: areceiving center adapted to receive an authorization request to charge acredit account; and a fraud investigation system coupled to thereceiving center, wherein the fraud investigation system is configuredto determine if the authorization request is suspicious.
 20. The systemof claim 19, wherein the second transaction system comprises: a moneytransfer system.